Heartbleed security flaw

15/04/2014

As you may have seen in the news, an internet security bug in the popular OpenSSL cryptographic software library, named “Heartbleed”, was discovered recently.

Although we are not aware of any data being compromised on our systems as a result, security of your data is of great importance to us. Therefore, as a precaution, we recommend that you consider changing your password if you logged into our website between the period 19 February 2014 and 9 April 2014.

Which systems were affected?
The Heartbleed security flaw (CVE-2014-0160) only affects OpenSSL systems. Most of our systems do not use OpenSSL, but our login service at www.bcs.org/login does and has done so since 19 February 2014.

Although we have now patched our affected services, as a precaution, we recommend that anyone who used our login service between 19 February 2014 and 9 April 2014 should consider changing their password. Please visit www.bcs.org/password if you wish to do this.

What have we done to deal with this issue?
As soon as we became aware of this risk, we took steps to patch affected servers. We have also replaced SSL certificates for affected domains. These actions eliminated the risk that the Heartbleed bug could be exploited on our services, although we have no evidence that our data was compromised at any time.

What else should I do?
If you are concerned that other websites you use may have been affected please contact the site owners for advice. We recommend you only change your password for other services if you are confident affected sites have correctly patched the Heartbleed bug.

A number of security companies are providing tools to check if a particular website is vulnerable. We recommend https://filippo.io/Heartbleed/. We also recommend the BBC News article at http://www.bbc.co.uk/news/technology-26969629 for further information and advice.